Introduction

SaaSForge Core is a multi-tenant Next.js app: Supabase auth, Postgres with row-level security per workspace, Stripe subscriptions, Resend for invites, and an example CRUD module you can replace. You clone it, fill env vars, run migrations, then start changing product code: not wiring login for the fourth time this year.

What ships in the box

Authentication & Security

Email/password + OAuth sign-in (Google, GitHub)
Two-factor authentication (TOTP / authenticator apps)
Password reset and email verification
Login history with IP and device tracking
SSO configuration (Enterprise plan)

Multi-Tenant Workspaces

Isolated workspaces for each customer
Workspace creation, selection, and switching
Member invitations with email delivery via Resend
Ownership transfer between members
Onboarding wizard for new workspaces

Role-Based Access Control (RBAC)

4 built-in roles: OWNER, ADMIN, MEMBER, VIEWER
11 granular permissions enforced at both application and database level
Row-Level Security (RLS) on every table

Products (Example CRUD Module)

Full CRUD with server-side pagination, sorting, and filtering
Advanced data table with column visibility, row selection, and bulk actions
Soft delete with trash and restore
Tags, comments, file attachments, and custom fields
CSV import and export
Bookmarks and saved views

Subscription Billing

Stripe Checkout and Customer Portal integration
Plan-based limits (seats, records)
Billing history and invoice viewing
Usage-based credits support (extensible)

Dashboard & Analytics

KPI cards (products, members, weekly activity, current plan)
30-day activity chart powered by Recharts
Activity feed with actor details and timestamps
Quick action buttons (role-gated)

Developer Platform Features

API key generation and management
Outgoing webhooks with delivery tracking
Incoming webhook event log
Scheduled actions
IP allowlisting (Enterprise)

Audit & Compliance

Append-only audit log for every mutation
Filterable by actor, action, date range
GDPR data export and account deletion
Notification preferences (in-app, email, digest)

Marketing & Docs

Landing page, pricing, FAQ, terms, and privacy pages
This MDX documentation system (fully editable)
SEO optimization with Open Graph and structured data

Tech stack

Technology	Role
Next.js 16 (App Router)	Full-stack framework
TypeScript	Type safety
Tailwind CSS v4	Styling
shadcn/ui	Component library
Supabase	Auth + PostgreSQL + Row-Level Security
Stripe	Subscription billing
Resend	Transactional email
@tanstack/react-table	Advanced data tables
Recharts	Dashboard charts
Zod	Runtime validation
Vitest	Testing framework

Core principles

Every query is workspace-scoped -- all data is filtered by workspace_id at both the application and database level
Every mutation is authorized -- requireUser() then requireRole() on every server action
Every mutation is audited -- insertAuditLog() called after every write operation
Zod validates everything -- no unvalidated user input reaches the database

Project structure at a glance

src/
  app/
    (app)/w/[workspaceSlug]/   # Protected workspace pages
    (auth)/                     # Sign-in, sign-up, reset
    (marketing)/                # Landing, pricing, legal
    docs/                       # Documentation pages
    api/                        # API routes (Stripe webhook)
  components/                   # Shared UI components
  config/                       # Brand, routes, pricing, UI copy
  lib/                          # Business logic modules
    api-keys/                   # API key management
    attachments/                # File attachments
    audit/                      # Audit logging
    auth/                       # Authentication helpers
    billing/                    # Plan limits and billing
    bookmarks/                  # Bookmarks
    comments/                   # Comments system
    custom-fields/              # Custom field definitions
    email/                      # Email templates
    gdpr/                       # Data export and deletion
    incoming-webhooks/          # Incoming webhook events
    ip-allowlist/               # IP allowlisting
    notifications/              # Notification preferences
    rbac/                       # Roles and permissions
    saved-views/                # Saved table views
    scheduled-actions/          # Scheduled tasks
    sessions/                   # Login history
    sso/                        # SSO configuration
    supabase/                   # Database clients
    tags/                       # Tag management
    webhooks/                   # Outgoing webhooks
    workspace/                  # Workspace helpers
content/
  docs/                         # MDX documentation files
supabase/
  001_schema.sql                # Core tables
  002_rls.sql                   # Row-Level Security
  003_soft_delete_and_dashboard.sql
  004_onboarding.sql
  005_tags_comments_2fa.sql
  006_remaining_features.sql

How to use this documentation

New to SaaSForge? Start with Getting Started for the fastest path to a running app.
Want to understand the architecture? Read the Architecture Overview and Data Model.
Ready to customize? Follow the Customization and White Label Checklist guides.
Building your own features? The Adding Your Own Model guide shows you how to replace the Products module.
Need feature details? Browse the Features section for in-depth docs on Authentication, Workspaces, Billing, and more.